View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0004954 | OXID eShop (all versions) | 4.07. Source code, Test | public | 2013-02-21 17:42 | 2013-02-22 11:06 |
| Reporter | d3 | Assigned To | |||
| Priority | normal | Severity | minor | Reproducibility | always |
| Status | resolved | Resolution | fixed | ||
| Fixed in Version | 4.7.4 / 5.0.4 revision 57063 | ||||
| Summary | 0004954: missing getViewName() in SQL statements | ||||
| Description | oxorder::_setOrderStatus( $sStatus ): $sQ = 'update oxorder set oxtransstatus='.$oDb->quote( $sStatus ).' where oxid='.$oDb->quote( $this->getId() ); better: $sViewName = $this->getCoreTableName(); $sQ = 'update '. $sViewName .'set oxtransstatus='.$oDb->quote( $sStatus ).' where oxid='.$oDb->quote( $this->getId() ); More examples: oxorder::_updateOrderDate(): $sQ = 'update oxorder set oxorderdate=\''.$sDate.'\' where oxid='.$oDb->quote( $this->getId() ); oxorder::_setNumber(): $sQ = "update oxorder set oxordernr = $iCnt where oxid = ?"; oxorder::getInvoiceNum(): $sQ = 'select max(oxorder.oxinvoicenr) from oxorder where oxorder.oxshopid = "'.$this->getConfig()->getShopId().'" '; There are much more handlings like theese, also in other classes: oxarticle::reduceStock($dAmount, $blAllowNegativeStock = false) $oDb->execute( 'update oxarticles set oxarticles.oxstock = '.$oDb->quote( $iStockCount ).' where oxarticles.oxid = '.$oDb->quote( $this->getId() ) ); | ||||
| Tags | No tags attached. | ||||
| Theme | Both | ||||
| Browser | All | ||||
| PHP Version | any | ||||
| Database Version | any | ||||
|
|
fixed some queries with missing quoting. using getCoreTableName() methid in query construction, not necessary it is normal use real table name in insert, update, delete queries. but we take this bug as a not for future to make one standard for queries, which selects data ( with used getViewName() ) and other queries. |
